How to change domains network route to custom IP when curl?

Question

On Linux I do curl to api.binance.com website and it gives me very long ms latency 0.177s, although the server is located just near binance servers.

# curl -o /dev/null -s -w 'Total: %{time_total}s\n' "https://api.binance.com/api/v3/time"
Total: 0.177313s
# curl -v -X GET "https://api.binance.com/api/v3/time"
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 52.85.241.102:443...
* TCP_NODELAY set
* Connected to api.binance.com (52.85.241.102) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=KY; L=West Bay; O=Binance Holdings Limited; CN=*.binance.com
*  start date: Feb  9 00:00:00 2023 GMT
*  expire date: Feb 16 23:59:59 2024 GMT
*  subjectAltName: host "api.binance.com" matched cert's "*.binance.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55beb5cf0300)
> GET /api/v3/time HTTP/2
> Host: api.binance.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< content-type: application/json;charset=UTF-8
< content-length: 28
< date: Tue, 17 Oct 2023 22:52:16 GMT
< server: nginx
< x-mbx-uuid: fb406f0d-016b-4bf4-8866-0247a6b7b2ef
< x-mbx-used-weight: 1
< x-mbx-used-weight-1m: 1
< strict-transport-security: max-age=31536000; includeSubdomains
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< content-security-policy: default-src 'self'
< x-content-security-policy: default-src 'self'
< x-webkit-csp: default-src 'self'
< cache-control: no-cache, no-store, must-revalidate
< pragma: no-cache
< expires: 0
< access-control-allow-origin: *
< access-control-allow-methods: GET, HEAD, OPTIONS
< x-cache: Miss from cloudfront
< via: 1.1 a62f7ce6b39c676fcfdde0f9a6fcf08e.cloudfront.net (CloudFront)
< x-amz-cf-pop: ARN1-C1
< x-amz-cf-id: DYu01YZH94O-f5FVTEfzM9MFDwm6_HutV0Sz24IiKDi-5p9VKf7sRg==
< 
* Connection #0 to host api.binance.com left intact
{"serverTime":1697583136754}

Let's fin closest binance server:

# dig api.binance.com +short
d3h36i1mno13q3.cloudfront.net.
18.238.65.94

We see new IP address 18.238.65.94. Now let's check and replace:

# curl -o /dev/null -s -w 'Total: %{time_total}s\n' "http://18.238.65.94/api/v3/time"
Total: 0.023214s

Very good, 0.023s latency is perfect. Let's get http content:

# curl -X GET "http://18.238.65.94/api/v3/time"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: bJnE_LCwjuJSaxKb-e0X_A9qnpeYuACYLonB2l5t4lLo9SLNonkXiA==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>

If I add SSL, getting another error:

# curl -X GET "https://18.238.65.94/api/v3/time"
curl: (60) SSL: no alternative certificate subject name matches target host name '18.238.65.94'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

As we see, both requests give errors. Q: So, how can I correctly change api.binance.com network root for IP that I found with closest server and get http results?

Answer 1

The two examples you showed aren't measuring the same thing. CloudFront doesn't allow you to use the IP address directly so it generates BAD REQUEST response (which is arguably faster than contacting the origin).

curl -i /dev/null -s -w 'Total: %{time_total}s\n' "https://api.binance.com/api/v3/time"

Total: 0.000000s
HTTP/2 200
content-type: application/json;charset=UTF-8
content-length: 28
date: Wed, 18 Oct 2023 04:07:40 GMT
server: nginx
...

{"serverTime":1697602060387}Total: 0.316431s

Using IP address

curl -i /dev/null -s -w 'Total: %{time_total}s\n' "http://52.222.227.199/api/v3/time"

Total: 0.000000s
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Wed, 18 Oct 2023 04:09:30 GMT
...
X-Cache: Error from cloudfront
...
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
...